EMERGING RISKS & HOW TO FORECAST THE FUTURE

Posted on by Henrik Parkkinen

This article will continue on the subject of emerging risk in combo with how to forecast the future. Intentionally I did not say “predict the future”, as this is impossible. Forecasting is though something different that I as a Risk Management fan think is somewhat achievable.

No, I have not invented the time machine and I do not have the magic crystal ball crafted by an ancient Warlock that contains all the answers to what ever the future holds. And, to make things clear. I do not either have the manual for how to create that time machine or the ingredients for that magic crystal ball. If this was what you were looking for, you may stop reading right now as you otherwise will be disappointed.

What I will give you, through reading this article, are some principles, methods, and thoughts around how you and your organization can become better at forecasting future things.

Before you continue the reading it can be wise to go through this article, What are emerging risks?. In this article, I put context and an explanation around emerging risk in the context of security. If you are somewhat new to risk management and want to know more about the subject and my thoughts, I recommend you to start here What is Risk Management.

HOW TO FORECAST THE FUTURE

Assessing emerging risks can absolutely be done with the help of a “traditional” risk assessment and analysis methodology. But to better understand the effects of emerging risks there is also a need to step into that future state of the mind. The time machine has not been invented yet, as far as I know at least. So the question comes down to, how can we do those futuristic analyses of things that have not taken place?

I have witnessed this task, making future analysis, become something very complex and advanced. There can absolutely be a strong need to use complex models and methodologies for analysis of the future but I would say there are other places to start at.

Hang on now, this one is a very effective method! There are people who have studied “how to forecast the future” and there are also people who are researching about how the future will pan out. These are persons who spend their time, knowledge, experience, wisdom and also get paid for doing so. These are the persons who can help us in our own forecast and to increase the accuracy of those things that we do not clearly see in front of us.

One of these persons, that I personally see as a forecasting end boss of the future, is Ray Kurzweiler. Read and listen to what he has to say. You do not need to agree with everything, or with me thinking he is an end boss of the topic. But I can assure you, reading and listening to him will provide you with learnings and new knowledge.

“Our technology, our machines, is part of our humanity. We created them to extend ourselves, and that is what is unique about human beings.”

Ray Kurzweil

To better understand the future in front of us we should spend more time studying trends. And I think one very effective way, to get a jump start and to better understand what a potential future holds for us, is to read, listen and follow a couple of persons who are studying and researching about the future. I have given this specific recommendation to many in my surrounding who want to “get better at understanding the future”. I mean, why not listen to those persons who spend their time researching and studying the future? It is a very effective and well-tested concept, i.e. to listen and learn from people who are experts at a given subject.

Doing so, following these kinds of persons who study and research the future, will give you a good general understanding of what their viewpoints and thoughts are. It may not be totally applicable to your industry, market, or organization in which you or your organization operate. We will come back to this a bit later on the road about how to handle this part.

Emerging technology are emerging risks

Another thing that I recommend you to do, to better understand a potential future outcome, is to study mega trends taking place in the world. Such as for example mega trends related to finance, psychology, geo-politics, cyber security, and technology. The list goes on. These mega trends might be somewhat more specific to the industry or organization in which you are operating.

But do not close your mind or perspectives on only the market and industry where your organization operates. Many markets and industries have a high carryover between each other. A trend might start a bit earlier in one market or industry and propagate to another or do so due to the nature of evolution.

And yes, we can of course use historical data and information about past events. But we can not only rely on past events (data, information, knowledge, wisdom etcetera) to prognosticate and extrapolate future effects and outcomes. I think that historical data and information can be useful for indications and understanding of for example population tendencies. However, this does not mean those tendencies identified are relevant for the future scenarios derived from the emerging risks identified.

Aggregating data and information from both historical things and future stuff is though not enough. Putting loads of data and information on the table will not do the job for us or give us the information about the future. It will not do the building, verbalizing, or illustration of the future for us.

So what can be done with all the gathered data and information about the future? I personally find a skill that we as children apply almost daily as a useful tool. As adults, we apply it less often. Imagination. And when I say imagination I do not refer to it as fantasizing about totally unrealistic things. In this case, I think of imagination as the tool to be used to process the collected data and information by putting it into contextual scenarios related to our own organization.

how to do it?

“You have to let it all go, Neo – Fear, doubt, and disbelief. Free Your Mind!”

Morpheus, The Matrix

Emerging risk analysis is one of those disciplines where we should stretch outside of the present and past state. We need to take the data, information, and trends into consideration but we also need to apply it into scenario-building exercises.

It is not easy to let the mind wander away and let it travel into the future. When I ask people to do this on request during a risk assessment exercise there are usually very few who actually can switch on and just go into this state. And to be able to do so, in a more realistic and context-based way and applicable to the organization you are working for, you need some data, information, and trends to float around in.

Emerging risks, as with all forms of risks, exist in a context. They are built up around scenarios. They do not appear in a vacuum or just pop-up. There is usually some form of indicators that we can look for on the horizon.

As children, we had little hinders in front of us when it came to future predictions and fantasies. Our minds were free, as Morpheus’s mind in The Matrix where he coaches Neo to let it be free. We were curious. And we stayed curious. If we did not have the answers to things, we kept searching. Within our imaginations. With the help of others. Asking questions to our parents, friends, and teachers. We collaborated.

We shall also keep in mind that the “state of the future” can be subjective. We as Humans do not share the same experience, knowledge, and perspectives of the future and not in relation to emerging risks.

Think about it, a professor who has studied a certain subject for decades will have a very different view on how quantum technology will play out compared to a group of cyber security experts or business leaders. It is not a debate on who is right and who is wrong. It is more of an exercise to be done together within the organization to come closer to the answer to the question “What emerging risks do we as an organization see?”.

And a good way to get a better understand of this might be to invite that professor into your organization and to pick his brain a bit. Once again, listen and learn from the experts. It can be a very effective and investment-friendly time spent. I can promise that it will also speed up the process for you. This person has studied the data, information and trends waaaaaaaaaaaaaay more and understands them even better. But he will not have the same contextual or organizational understanding of your business as you and your team does. This is where you and your organization have the “edge”. You know your organization better then any outside person does. You know how your organization operates. You know all the current pain-points, opportunities, past successes, the culture, the people. Or at least, this is how it should be.

You and your organization need to make sure the scenarios built for the emerging risks are based on an applicable context relevant and realistic for you. A person coming from the outside might be helpful to facilitate the exercise but this person is not an expert in your organization.

But before even kicking off the work, I think every organization should define what an emerging risk means for them. Every and each organization is not the same. But I think that some general principles and guiding is helpful. So let me show you a couple of those and explain how it can be done.

DEFINING EMERGING RISKS

When defining what an emerging risk is for your organization an important attribute to decide on is the timeline. In what amount of time is the risk considered as emerging. How many months or years?

I would say that risks below one year are something of an operational and tactical character. A two-year timeline into the future can also be a “to short” of a timeline in certain organizations. The thing here is that the timeline is also something that will fluctuate in length between organizations.

Risk is something that is subjective and strongly correlated to each organization and its appetite for risk. Risk exists in a context and the context will shift in form between organizations.

Operational, tactical, strategic and emerging risk

It can be wise though to start with maybe somewhere in between, let’s say maybe 18 months. Start from there and use that as a timeline for how far into the unknown future you and your team in the organization will contemplate.

As maturity and the skill around this form of risk assessment methodology increases the timeline can be expanded. Simple as that, isn’t it?

It is also wise to form a common ground and terminology of what an emerging risk is for your organization.

Some of the below questions might lead you and your organization closer to answer of the definition:

  • Are there specific attributes that apply to the industry your organization is operating in?

  • Are there any forms of specific assets that the threat may be more relevant for in relation to those emerging risks?

  • Is it possible to establish metrics to better understand changes of the risk and the potential likelihood and impact that is emerging?

  • How can the changes to the emerging risk be monitored over time?

  • When and at which metric is a signal triggering that certain actions, related to the emerging risk, shall be taken?

  • Who is responsible for the monitoring of the emerging risk?

  • Who is responsible for conducting the mitigating actions related to the emerging risk?

  • Are there other partners or alliances who you can establish relationships with to exchange valuable and actionable information?

  • When is the emerging risk considered as an operational, tactical, strategic, technical, or business risk?

WHERE TO START?

If your organization has a current risk management framework in place, I recommend using that risk assessment process. Personally, I do not think there is a need to have a different process for managing or assessing emerging risks. And I am totally fine with that other things otherwise. That emerging risk management should follow a different process for this and that reason.

I see risk management as a cognitive tool, a cognitive magic 8ball. The main difference when working with emerging risk management is to spend more time in data & information gathering and scenario-building phase. To spend more cognitive energy and those super-powers on crafting and analyzing the possible future scenario. Analyze trends. Apply the trends to your organization and context. More about this in the next section.

The process for assessing emerging risks is no different

Start with investing time and resources to periodically exercise emerging risk assessments. Start easy and do the exercises together as a team. The more brainpower that joins up together the better. Of course, it is hard to facilitate a group of twenty persons compared to five persons. A good idea is to start in a smaller group.

The first step would be to scan the horizon and security landscape. Gather information from external sources, partners, vendors, and your network. Gather information related to the industry and market in which your organization operates. I went through a method at the beginning of this article (you remember that one?).

The next step is to consolidate the collected and gathered data and information. Condense it down to what is applicable to your organization. From here, start to build the scenario(s). This is where the fun part starts…at least according to myself.

The three activities that, are highly interesting to spend a good amount of energy on are those highlighted in the above illustration.

  • Data & Information Gathering – the more data and information we can gather to better understand the emerging risk will help us to understand the potential impact.

  • Scenario building & Analysis – as in every situation, project, and decision intelligent decisions can best be made with a better understanding we have of the context, situation, and scenario. The more data and information we have collected and gathered we can build the stronger and better scenario. In this way, we can better forecast the future, impact, and likelihood of the emerging risk.

  • Signal trigger – the data and information we have gathered will help us to understand what triggers the emerging risk. It is with the help of this data and information we develop the signal triggers for the emerging risks. When those signals are triggered we and our organizations shall take certain already and in advance agreed and discussed responsive actions to respond to the emerging risk.

COLLABORATE

Approach the scenario-building exercise without judging or questioning the performance of the participants. Yes, I need to say this. It is not easy to be futuristic. Everyone is not the kind of person who just can switch on those brain cells and be “futuristic”.

Is there someone in the team who likes to lead and facilitate? Encourage this person to coach others. Showing the way and sharing his or her emerging risk magic 8ball, i.e. cognitive thought process.

An open-minded attitude and patience are two strong ingredients that will provide positive effects in these exercises. And I would also recommend not trying to do this as a marathon exercise, it can be mentally taxing.

Do not put this as the last thing on a Friday after that lunch or when there is an after-work at the other end of the day waiting. Find a good place and time for the exercise. Change the environment, and leave the office for a while during these exercises. Maybe conduct the exercise outside and at the same time get some fresh air?

There are better ways to forecast the future.
There are better ways to forecast the future and to manage emerging risks. Tarot cards are not one of them.

Another good idea would also be to do it as an exercise in the earlier part of the day. When the team comes in fresh after a good night of sleep and fully charged brainpower. As I said, it is an exercise. It shall be somewhat taxing and not just a pick-nick. But if you, do it as a team it becomes easier. The purpose is not to red-line the brains of the participants. Help each other, it is a team exercise. Coach your teammates if they get stuck.

Be humble and keep in mind that all persons do not work or function the same way. Those who speak a lot may have that kind of need due to that it is how their thought process works. Others will maybe sit there and not say much for 52 minutes of those 60 but come up with the greatest ideas during the last 8 minutes.

Humans are incredible in so many ways so do not expect that everyone will perform the same way in an exercise like this. I am the kind of person who contemplates a lot. Around many things. I like to analyze stuff. I gladly share my thought processes with people around me with the hopes that others can learn from me.

I am not saying that I am an expert thinker or a great philosopher. This is just who I am, and I am willing to share what is going on in my thought process. I do not expect others to work or do it the same way. We are wired differently and that is ok, and this is just how it is. We are Humans.

The power of sharing a thought process is for me one way to contribute to the team. Security is a team sport. If I am sitting there, alone with my great thoughts and contemplation they have very little power. They provide no real value-adding benefits or effects. They are my own. And what can I accomplish on my own without my teammates? The results will become slim compared to the collected power from a team.

EPILOGUE

The four main skills, as I see it, that are strongly relevant for becoming better at forecasting and strategizing around futuristic events are:

  • Research
  • Imagination
  • Curiosity
  • Collaboration

If you invest as little as 1 hour every month in emerging risk management and you have a team of 5 people this will equate to approximately 50 hours during a year. If you compare those 50 hours to 0 hours of emerging risk management, it is a drastic increase.

Will this investment mitigate and reduce the negative impact and likelihood of those emerging risks? No. The sh*t may still hit the fan anyways, but I can promise that you and your organization will be much better prepared for those scenarios you have contemplated and discussed together. It can save loads or dollz, resources, and lives and increase the protection of the organization’s assets. And you and your team will also gain new knowledge and wisdom.

Take away from this article is to ask yourself how emerging risk management could help you and your organization. How can you establish a pragmatic and sustainable method for assessing emerging risks? And it is better to start small and to start now instead of trying to do those gigantic things. Execute on a small scale and learn along the road.

I strongly believe that emerging risk management will grow and increase as a discipline over time. Why I think so is because of the ongoing high-paced technology evolution. The technological evolution is exponential. It is irreversible. We cannot and should not fight against it. Instead, we should go with it but with an aware mindset. Being risk aware.

And I am a strong believer in that we, as security practitioners should be those asking ourselves the critical questions. We should be those who are experts in our organization and understand the security implications of certain things that might take place.

Zoltar will not, independent of all the magical powers he holds (= certifications, field experience, degrees, vendor education, technical know-how, and other things) and money you throw on him, have the same insight as you.

Zoltar the Risk Management wizard

I do not think that outsourcing risk management, emerging or not, to a Risk Management Wizard like Zoltar for example should be a thing. This is a skill that should reside within the inside of an organization. This is and should be a key skill, knowledge, and wisdom in which investments are made and remain and reside within the organization. No one will be better at understanding your organization compared to you who are working in it. You are the expert in your organization. Not Zoltar.

I will not (and should not) have the same insight of your organization coming form the outside as you have and the other way around. I will most certainly have value to bring to the table when it comes to security and risk management, but that is another thing though.

We should help ourselves and work as a team to look behind the present and past. Spend a bit more time looking into the future. This is also something that can be incredibly fun. It can teach us and wake up those superhero powers we used to be great at as kids, i.e. imagination. Let our minds be kids again (but in a realistic context) and do not let it grow old. We all have that little kid-version of ourselves inside of us.


This article was not and shall not bee seen as the ultimate solution for how to work with Emerging Risk Management. And I do not think there is only "one" way for doing things. There are though worse and better.

I suggest you, who reads this article, to use the content to better understand what and why Emerging Risk Management is a thing when it comes to security.

Be pragmatic.

Start now. Start simple. Imagine. Be open-minded. Analyze. Think. Help each other. Together. Contemplate.

Henrik Parkkinen